How spy state hurts tech sector

August 16, 2013, 11:17PM

08/16/2013

So let's see if we can find the thread that connects some recent news from the technology world. Microsoft Corp. has agreed to let users of its forthcoming XBox One game system disable the "always on" motion-sensing camera that was previously described as a fully integrated component that couldn't be turned off. Two companies that offer high-encryption email services, Lavabit and Silent Circle, have announced they will cease providing it. Foreign firms interested in cloud computing, widely viewed as tech's next profit machine, are seriously considering Asian and European providers instead of U.S. ones. In each case, the decision was made after concerns were raised about security. And the concerns in question were about the security policies of the U.S. government.

You can consider the National Security Agency's data-gathering programs a grim necessity to protect the nation or an outrageous violation of privacy. What is unquestionable is that they are reshaping the tech marketplace.

Yet it should have been obvious that so extensive a system of surveillance, no matter how benignly intended, would have unintended consequences. Some of the ill consequences are even predictable.

Consider cloud computing. Worldwide spending on the cloud is expected to double over the next three years to more than $200 billion. U.S. firms have been leaders in developing the technology. According to a new report from the Information Technology & Innovation Foundation, however, global worries about NSA surveillance are likely to reduce U.S. market share.

The report's admittedly loose estimate is that U.S. cloud-computing firms will lose $21 billion to $35 billion in revenue between now and 2016. According to the report, some 10 percent of non-U.S. members of the Cloud Security Alliance said they've canceled a project with a U.S. company since the disclosure of the NSA's surveillance. In addition, 56 percent indicated "that they would be less likely to use a U.S.-based cloud computing service." These are scary numbers for one of the few true growth areas in the tech sector. But they are precisely what should have been expected in the wake of the disclosures. "If I were an American cloud provider, I would be quite frustrated with my government right now," Neelie Kroes, the European Union's commissioner for digital affairs, said in the ITIF report.

It's true that the NSA never intended for its data-collection activities to become public knowledge. It's also true that many of the European allies who are complaining about the programs have fewer legal protections for data than the U.S. does. But optics — the way something looks when at last it's exposed — can also turn out to be an unintended consequence. Remember that all of this controversy is arising at the very moment when the brave knight of Internet security may be dying in his armor. We have learned already that it turns out to be easier than many experts imagined to hack even thoroughly hashed passwords.

At this year's Black Hat USA security conference in Las Vegas, experts said that recent mathematical breakthroughs mean that the major encryption protocols on which Internet security rests are likely to be cracked within five years or less. (The NSA, which should know, recommends that businesses switch to more secure protocols that are based on something called elliptic curve cryptography.)

The government's fast-growing suite of tools to get around the security of communications represents a threat to privacy not in the modern sense of a litigable right but in the old-fashioned sense of a belief that one remains anonymous while moving through the world. When Abraham Lincoln, in his search for Confederate spies, authorized the seizure of copies of all telegrams sent and received in the North, even his own supporters were outraged, not because he had violated their constitutional rights (there was no right to privacy) but because he had violated an unspoken compact between government and the governed.

It's being violated again. Few are likely to shed tears for the child-pornography defendant whose powerfully encrypted hard drives are, after repeated failures, finally cracked by the federal government. Yet we mustn't forget that it is in the nature of bureaucracies to search for more nails to strike once they've finished polishing their hammers.

That's why some commentators worry about another unintended consequence of the NSA disclosures: Typically, the way to keep a surveillance program secret is through a sort of triage — that is, by not acting on most of what you uncover. That way, those you are trying to watch can't reverse-engineer the contours of your system. They might not even know you are tracking them.

But with knowledge of the NSA's programs now public, law-enforcement agencies at all levels are demanding access to its information. But the larger the audience sifting through the data, the greater the disturbance to the uneasy balance between enforcing the law and respecting the sphere of privacy — and the greater the likely harm to domestic technology companies.

President Barack Obama has asked us to trust him to use wisely whatever has been collected, and there is no reason to doubt his sincerity. The American tradition, however, is more the other way around: It's the government that's supposed to trust the people.

<i>Stephen L. Carter is a Bloomberg View columnist and a professor of law at Yale University.</i>

So let's see if we can find the thread that connects some recent news from the technology world. Microsoft Corp. has agreed to let users of its forthcoming XBox One game system disable the "always on" motion-sensing camera that was previously described as a fully integrated component that couldn't be turned off. Two companies that offer high-encryption email services, Lavabit and Silent Circle, have announced they will cease providing it. Foreign firms interested in cloud computing, widely viewed as tech's next profit machine, are seriously considering Asian and European providers instead of U.S. ones. In each case, the decision was made after concerns were raised about security. And the concerns in question were about the security policies of the U.S. government.

You can consider the National Security Agency's data-gathering programs a grim necessity to protect the nation or an outrageous violation of privacy. What is unquestionable is that they are reshaping the tech marketplace.

Yet it should have been obvious that so extensive a system of surveillance, no matter how benignly intended, would have unintended consequences. Some of the ill consequences are even predictable.

Consider cloud computing. Worldwide spending on the cloud is expected to double over the next three years to more than $200 billion. U.S. firms have been leaders in developing the technology. According to a new report from the Information Technology & Innovation Foundation, however, global worries about NSA surveillance are likely to reduce U.S. market share.

The report's admittedly loose estimate is that U.S. cloud-computing firms will lose $21 billion to $35 billion in revenue between now and 2016. According to the report, some 10 percent of non-U.S. members of the Cloud Security Alliance said they've canceled a project with a U.S. company since the disclosure of the NSA's surveillance. In addition, 56 percent indicated "that they would be less likely to use a U.S.-based cloud computing service." These are scary numbers for one of the few true growth areas in the tech sector. But they are precisely what should have been expected in the wake of the disclosures. "If I were an American cloud provider, I would be quite frustrated with my government right now," Neelie Kroes, the European Union's commissioner for digital affairs, said in the ITIF report.

It's true that the NSA never intended for its data-collection activities to become public knowledge. It's also true that many of the European allies who are complaining about the programs have fewer legal protections for data than the U.S. does. But optics — the way something looks when at last it's exposed — can also turn out to be an unintended consequence. Remember that all of this controversy is arising at the very moment when the brave knight of Internet security may be dying in his armor. We have learned already that it turns out to be easier than many experts imagined to hack even thoroughly hashed passwords.

At this year's Black Hat USA security conference in Las Vegas, experts said that recent mathematical breakthroughs mean that the major encryption protocols on which Internet security rests are likely to be cracked within five years or less. (The NSA, which should know, recommends that businesses switch to more secure protocols that are based on something called elliptic curve cryptography.)

The government's fast-growing suite of tools to get around the security of communications represents a threat to privacy not in the modern sense of a litigable right but in the old-fashioned sense of a belief that one remains anonymous while moving through the world. When Abraham Lincoln, in his search for Confederate spies, authorized the seizure of copies of all telegrams sent and received in the North, even his own supporters were outraged, not because he had violated their constitutional rights (there was no right to privacy) but because he had violated an unspoken compact between government and the governed.

It's being violated again. Few are likely to shed tears for the child-pornography defendant whose powerfully encrypted hard drives are, after repeated failures, finally cracked by the federal government. Yet we mustn't forget that it is in the nature of bureaucracies to search for more nails to strike once they've finished polishing their hammers.

That's why some commentators worry about another unintended consequence of the NSA disclosures: Typically, the way to keep a surveillance program secret is through a sort of triage — that is, by not acting on most of what you uncover. That way, those you are trying to watch can't reverse-engineer the contours of your system. They might not even know you are tracking them.

But with knowledge of the NSA's programs now public, law-enforcement agencies at all levels are demanding access to its information. But the larger the audience sifting through the data, the greater the disturbance to the uneasy balance between enforcing the law and respecting the sphere of privacy — and the greater the likely harm to domestic technology companies.

President Barack Obama has asked us to trust him to use wisely whatever has been collected, and there is no reason to doubt his sincerity. The American tradition, however, is more the other way around: It's the government that's supposed to trust the people.

<i>Stephen L. Carter is a Bloomberg View columnist and a professor of law at Yale University.</i>